Building Secure Block Ciphers on Generic Attacks Assumptions

Jacques Patarin1 and Yannick Seurin1,2

1 University of Versailles, France 2 Orange Labs, Issy-les-Moulineaux, France [email protected], [email protected]

Abstract. Up to now, the design of block ciphers has been mainly driven by heuristic arguments, and little theory is known to constitute a good guideline for the development of their architecture. Trying to remedy this situation, we introduce a new type of design for symmetric cryptographic primitives with high self-similarity. Our design strategy enables to give a reductionist security proof for the primitive based on plausible assumptions regarding the complexity of the best distinguishing attacks on random Feistel schemes or other ideal constructions. Under these assumptions, the cryptographic primitives we obtain are perfectly secure against any adversary with computational resources less than a given bound. By opposition, other provably secure symmetric primitives, as for example C [3] and KFC [4], designed using information-theoretic results, are only proved to resist a limited (though significant) range of attacks. Our construction strategy leads to a large expanded key size, though still usable in practice (around 1 MB).

Keywords: block ciphers, Feistel schemes, generic attacks, provable security.

1 Introduction

Provable Security. Building provably secure but still efficient block ciphers is certainly the most desired but also the most challenging goal of symmetric cryptography. In the area of asymmetric cryptography, “provable security” means that one is mathematically able to reduce the security of a primitive to a well studied and presumably difficult problem such as integer factorisation or discrete logarithm (see [17] for an overview but also a critical look at “provable security” in public key cryptography). The situation in symmetric cryptography is quite different: the security of the most widely deployed primitives often relies on heuristic arguments of one of the three following types: – lack of known attacks whose complexity is less than “brute-force” attacks or less than the desired security level (typically 280 operations nowadays). – provable security against some classes of attacks, typically differential and linear cryptanalysis when dealing with block ciphers. For example, AES does possess such security arguments.

R. Avanzi, L. Keliher, and F. Sica (Eds.): SAC 2008, LNCS 5381, pp. 66–81, 2009. c Springer-Verlag Berlin Heidelberg 2009 Building Secure Block Ciphers on Generic Attacks Assumptions 67

– provable security when some components of the primitive are replaced by “ideal” ones. This kind of arguments apply for example for all Feistel ciphers such as DES, for which the celebrated result of Luby and Rackoff [19] shows that when the internal functions are pseudorandom, the cipher is secure in the sense that it is a pseudorandom permutation. This, however, does not yield any security proof for the real primitive, but only ensures that the general structure of the algorithm does not present intrinsic weaknesses. Provable security in symmetric cryptography in the reductionist sense discussed for asymmetric cryptography is rather rare. Most notable examples include some number-theoretic hash functions like VSH [10] and the stream cipher QUAD [6] whose security relies on the difficulty of solving systems of multivariate quadratic equations. However, there is to the best of our knowledge no block cipher with security reduction to some hard problem proposed so far. More concernedly, no difficult problems have been identified as suitable for such a design goal. We will see that the problem of distinguishing a Feistel scheme from a random permutation could be a potential candidate.

The Proposal. We propose to build a block cipher whose security can be reduced to some simple and well studied problem. The hard problem we propose is not number-theoretic like for most schemes of asymmetric cryptography. We will use the problem of distinguishing a random Feistel scheme from a random permutation. The rational for such a choice is that Feistel schemes have been extensively studied in the cryptographic literature since the introduction of DES. Though most of this literature is primarily concerned with the information- theoretic properties of these schemes, some authors have studied the so-called “generic attacks” on them. The term generic attacks, introduced by Kilian and Rogaway in [16], means any attack performed on Feistel schemes instantiated using uniformly random and independent functions in each round (which we will name a “random Feistel scheme” in the following), and hence not making use of the underlying structure of the function generator of a real cipher such as DES. Though we will primarily use Feistel schemes, any well studied structure with similar properties could be used. We propose to go beyond the intrinsic limitations of information-theoretic designs. For Feistel schemes, information theory is “stuck” at five rounds in the sense that increasing the number of rounds beyond five does not increase the number of queries needed by a computationally unbounded adversary to dis- tinguish the Feistel scheme from a random permutation. Indeed, whatever the number r ≥ 5 of rounds used in a random Feistel schemes from 2n bits to 2n bits, there is always an oracle adversary making Θ(2n) queries and distinguish- ing a random Feistel scheme from a random permutation with high probability. However the computational complexity of this distinguisher can be extremely high. Taking the problem in the opposite way, we will make the hypothesis (and give arguments supporting it) that the best generic attacks described against Feistel schemes cannot be improved, anddesignapermutationgeneratorsuch 68 J. Patarin and Y. Seurin that any distinguishing attack against it would imply an improvement of the generic attacks against random Feistel schemes. To achieve this goal, we will start from a Feistel scheme with r1 rounds us- ing random and independent functions at each round, and evaluate its security according to the best generic attacks. Then, rather than using independent and random functions directly as the key, we will instantiate each of these functions with independent Feistel schemes with r2 rounds, and again estimate the security of the overall construction with respect to the best generic attacks. We will keep on using this recursive structure until the total size of the key (constituted of the random functions used at the innermost level of the construction) becomes practical. We name this design strategy the “Russian Dolls” construction. As we will see, the complexity of the best distinguisher described so far increases exponentially with the number of rounds of the Feistel scheme, so that using a reasonable number of rounds will be sufficient for a good level of security. Note that in the information-theoretic setting, the innermost Feistel schemes would be potentially weak as they have very small block size. However, any attack on the resulting block cipher would imply a better generic attack on random Feistel schemes at some level of the construction.

Related Work. There have been a number of “provably secure” block ciphers proposals. We review the most prominent of them. BEAR and LION were proposed by Anderson and Biham [2]. They are constructed from an ideal stream cipher and an ideal hash function, and the authors proved that attacking the block cipher would imply an attack on one of the underlying components. Later Pat Morin [22] identified some weaknesses in BEAR and LION and proposed AARDVARK, which is based on the same design strategy. Zheng, Matsumoto and Imai [36] presented block ciphers built on so-called Generalized Type-2 transformations (which are kinds of generalized Feistel con- structions). They analysed their constructions in the information-theoretic set- ting and gave evidence supporting the security of their primitives, but no formal security proof. Baignères and Finiasz built on Vaudenay’s decorrelation theory [35] to pro- pose two block ciphers, C [3] and KFC [4], provably secure against a wide range of attacks. This is the logical continuation of the work initiated with the NUT family [35] (COCONUT, PEANUT)andtheAES proposal DFC [13]. Again, their security proof relies on information-theoretic arguments. In partic- ular, KFC is based on a 3-round Feistel scheme using round functions with a very low decorrelation bias and is proved resistant against “d-limited” adversaries making less than d =8or 70 queries, depending on the parameters. The security proof also handles so-called “iterated attacks” of order d/2, where the adversary repeats independent non-adaptive d/2-limited attacks. However, we note that as the Feistel scheme of KFC has only 3 rounds, it is vulnerable to a distinguishing attack making only 3 chosen plaintext-ciphertext queries (see Section 4.2). Granboulan and Pornin [14] proposed an efficient way of generating perfectly random permutations (i.e. statistically very close to the uniform distribution, even for an attacker having the entire codebook) using a pseudorandom number Building Secure Block Ciphers on Generic Attacks Assumptions 69 generator, however their construction is only practical for small plaintext do- mains (typically less than 30-bit blocks). The prior proposal which is the closest to our work was made by Blaze [7] but never published. He proposed the block cipher TURTLE and the stream cipher HAZE. TURTLE is simply the Russian Dolls construction where 4- rounds Feistel schemes are used at each stage, and HAZE is based on TURTLE in counter mode. Yet the security arguments proposed by Blaze are quite different from ours. He claims that retrieving the secret functions of an r-round Feistel scheme, r ≥ 3, is NP-complete by reducing this problem to Numerical Matching with Target Sums (NMTS) [11]. However, keeping the number or rounds constant as the block-size decreases implies a dramatic loss of security.

Organization. Our paper is organized as follows. First we give our nota- tions and some standard security definitions. Then, we describe the Russian Dolls design strategy in all generality and state theorems about its security. In Section 4 we analyse the Russian Dolls construction using balanced Feistel schemes. We highlight some promising possibilities for future work and draw our conclusions in Section 5.

2 Preliminaries

Notations. Throughout the whole paper, we will use the following notations. We will denote by s ←−$ S the operation of selecting an element in the set S endowed with the uniform probability distribution. Func (D, R) will denote the set of all functions from D to R, Perm (D) the set of all permutations on D,and + Perm (D) the set of all permutations on D with an even signature. In will de- note the set of binary strings of length n, and we will use Func (n, m), Perm (n) + + and Perm (n) as shorthands for Func (In,Im), Perm (In) and Perm (In) re- spectively. A family of functions from D to R indexed by key space K is a function E : K×D → R. We will use the notation EK (X) as shorthand for E(K, X). E is a family of permutations if D = R and EK is a permutation for each K ∈K.We −1 will denote by EK the inverse of EK . We will sometimes use the terms function or permutation generator instead of family of functions or permutations. Given a function f of Func (n, n), the 1-round Feistel scheme Ψf is the ele- ment of Perm (2n) defined by Ψf (x)=xRxL ⊕ f(xR),wherexL and xR de- note respectively the left and right halves of the 2n-bit string x. We will note

Ψf1,...,fr the r-rounds Feistel scheme Ψfr ◦ ...◦ Ψf1 . Given two non null inte- (r) gers n and r, Ψ (2n) will denote the permutation generator on I2n with key r space Func (n, n) ,takingasargumentsr functions (f1,...,fr) in Func (n, n) x ∈ I Ψ x Ψ (r) and 2n and returning f1,...,fr ( ). When we omit the block-size, i.e. , it will implicitly be 2n. The adversaries we will consider are probabilistic. Implicitly, when we note Pr[s ←−$ S : A =1]the probability will always be on S and the internal ran- domness of A. 70 J. Patarin and Y. Seurin

Pseudorandom Functions and Permutations. The notion of pseudoran- dom function (PRF) was introduced by [12], and the notion of pseudorandom and strong (or super-) pseudorandom permutation (PRP and SPRP) by [18]. Informally, a PRF is a family of functions E indexed by a key space K such that any efficient adversary with access to an oracle can distinguish a function associated to a random key K ←−K$ from a uniformly random function only with negligible probability. The definition of a PRP is quite similar, except that the adversary tries to distinguish the permutation family from a uniformly random permutation. For a SPRP, the adversary is given access to two oracles, either EK −1 −1 and EK for a random K,orG and G for a uniformly random permutation G. Rather than using the usual asymptotic notions of PRF and PRP, we will use the concrete security approach introduced in [5] where the distinguishing advantage of an adversary is measured as a function of its resources (namely, runtime and number of oracle queries). We give now the following formal definitions.

Definition 1 (PRF). Let E : K×D→R be a family of functions from D to R indexed by keys K. An adversary A (, T )-distinguishes E as a PRF if it runs in time at most T and prf $ EK AdvE (A)= Pr K ←−K : A =1 − Pr G ←−$ Func (D, R):AG =1 ≥ .

We will say that E is an (, T )-secure PRF if no adversary is able to (, T )- distinguish it.

Definition 2 (PRP). Let E : K×D→D be a family of permutations on D indexed by keys K. An adversary A (, T )-distinguishes E as a PRP if it runs in time at most T and prp $ EK AdvE (A)= Pr K ←−K : A =1 − Pr G ←−$ Perm (D):AG =1 ≥ .

We will say that E is an (, T )-secure PRP if no adversary is able to (, T )- distinguish it.

Definition 3 (SPRP). Let E : K×D→D be a family of permutations on D indexed by keys K. An adversary A (, T )-distinguishes E as a SPRP if it runs in time at most T and −1 sprp $ EK ,EK AdvE (A)= Pr K ←−K : A =1 −1 − Pr G ←−$ Perm (D):AG,G =1 ≥ .

We will say that E is an (, T )-secure SPRP if no adversary is able to (, T )- distinguish it. Building Secure Block Ciphers on Generic Attacks Assumptions 71

O T ,T n Alternatively, when a primitive is ( ( f(n) ) )-secure for some parameter , where O stands for some small constant independent of n, we will say that it is Ω(f(n))-secure, meaning that a distinguisher must have runtime greater than f(n) to have a non-negligible advantage. Note that all our definitions are stated in terms of runtime T of the adversary. The total number q of queries of the adversary to the oracle will only be constrained by the obvious inequality q ≤ T . As we will see later, it is always possible to distinguish a random Feistel scheme Ψ (r)(2n) from a uniformly random permutation with complexity O(22n). This comes from the fact that a Feistel scheme has always an even signature, whereas a random permutation has an even signature with probability 1/2.We will therefore sometimes consider the difficulty of distinguishing a random Feistel scheme from a random permutation with an even signature. For this reason we also define the notion of (S)PRP+ (strong pseudorandom even permutation) by simply substituting Perm+ (D) to Perm (D) in the definitions of PRP and SPRP. We will use sometimes the term CPA (Chosen Plaintext Attack) to qualify an adversary trying to break the pseudorandomness of a permutation generator, and CPCA (Chosen Plaintext-Ciphertext Attack) to qualify an adversary trying to break the strong pseudorandomness of a permutation generator. It will always imply adaptive attacks.

3 The Russian Dolls Construction

In this section we explain our design strategy in all generality. Assume one knows how to construct a secure (S)PRP E on D using a relatively large set of keys K structured as a direct product of smaller permutations spaces K = (i) Perm (D1) × ...× Perm (Dλ). Assume now that there exists secure PRPs E , 1 ≤ i ≤ λ,onDi with key spaces Ki. Then it is possible to define a new (S)PRP E on D with key space K = K1 × ...×Kλ,by E (·)=E (1) (λ) (·) . (1) (K1,...,Kλ) (E ,...,E ) K1 Kλ For simplicity, we will make the assumption that when the E(i)’s are given as oracles, ciphering or deciphering with E requires only direct queries to the E(i)’s. As will be clear from the proof of the theorem below, this enables to use only secure PRPs for the E(i)’s. As soon as it requires access to the direct and the inverse oracle for some i, E(i) has to be a secure SPRP. The security of the new (S)PRP E is characterized by the following theorem: Theorem 1 (Security of the Russian Dolls construction). Let E be an (, T )-secure PRP (resp. SPRP) on D indexed by key space K =Perm(D1)×...× D E(i) ≤ i ≤ λ  ,T D Perm ( λ).Letalso , 1 ,be( i )-secure PRPs on i with key spaces K E  λ  ,T i. Then the permutation generator defined by Equ. 1 is an ( + i=1 i )- secure PRP (resp. SPRP) on D with key space K = K1 × ...×Kλ. Proof. The proof proceeds by a standard hybrid method. Let A be an oracle algorithm running in time T . We are interested in bounding its advantage in distinguishing the PRP E: 72 J. Patarin and Y. Seurin E (1) (λ) (E ,...,E ) $ K K Pr (K1,...,Kλ) ←−K1 × ...×Kλ : A 1 λ =1 − Pr G ←−$ Perm (D):AG =1 . This advantage is upper bounded through the triangular inequality by the sum of $ E(G ,...,G ) Pr (G1,...,Gλ) ←−K : A 1 λ =1 − Pr G ←−$ Perm (D):AG =1 and the sum for i =1to λ of the following quantities (where by convention for i =1(resp. i = λ), the expressions were i−1 (resp. i+1) appears are discarded): $ Pr (K1,...,Ki) ←−K1 × ...×Ki, G ,...,G ←−$ D × ...× D ( i+1 λ) Perm ( i+1) Perm ( λ): E (1) (i) (E ,...,E ,Gi+1,...,G ) A K1 Ki λ =1 $ − Pr (K1,...,Ki−1) ←−K1 × ...×Ki−1, $ (Gi,...,Gλ) ←− Perm (Di) × ...× Perm (Dλ): E (1) (i−1) (E ,...,E ,Gi,...,G ) A K1 Ki−1 λ =1

The first term is upper bounded by definition by  as E is an (, T )-secure PRP. The i-th of the λ other terms is upper bounded by i. Indeed, one can (i) build a probabilistic distinguisher Ai for E as follows. Let F be the oracle to which Ai has access. Ai draws random keys (K1,...,Ki−1) and random permutations (Gi+1,...,Gλ) and runs A, answering each of its queries with E (1) (i−1) .ThenAi runs in time T and its advantage is exactly (E ,...,E ,F,Gi+1,...,Gλ) K1 Ki−1 (i) the quantity above. Hence by hypothesis on E it cannot be greater than i. The theorem follows. The SPRP case is handled in a similar way. More restricted versions of this theorem in the information-theoretic setting can be found in [20, Theorem 1] and [35, Lemma 20]. When the key spaces Ki are themselves permutations spaces, the construction can be iterated to decrease the key size of the outermost PRP. This construction may use functions instead of permutations or even a mix of functions and permutations. However, we will be primarily interested in permutations. We will now see how to use the Russian Dolls construction with concrete PRP schemes. 4 Constructions with Balanced Feistel Schemes

Two main lines of research have been explored concerning Feistel schemes: one aims at giving security bounds against information-theoretic adversaries, the other tries to describe generic attacks on random Feistel schemes. We sum up some known results about these two domains. Building Secure Block Ciphers on Generic Attacks Assumptions 73

4.1 Information-Theoretic Bounds First, we review the security results on random Feistel schemes holding in the information-theoretic setting, i.e. against computationally unbounded adver- saries. All these results are purely combinatorial and can be restated in terms of statistical closeness between the output of a Feistel permutation and the out- put of a uniformly random permutation. Though we restate them in terms of computational runtime T ,itisessentialtonotethattheyareinfactalltruein terms of number of oracle queries q. The computational statement simply stems from q ≤ T . n Luby and Rackoff started the subject by proving [19] that Ψ (3)(2n) is a Ω(2 2 )- n secure PRP, and claiming (without proof) that Ψ (4)(2n) is a Ω(2 2 )-secure SPRP. The later was proved by Patarin in [23]. The first improvements beyond the n so-called “birthday bound” (namely, Ω(2 2 )-security) came from Patarin who 2n proved respectively in [25] and [26] that Ψ (5) is a Ω(2 3 )-secure PRP and Ψ (6) 3n is a Ω(2 4 )-secure PRP. Maurer and Pietrzak showed [21] that for r sufficiently r −O 1 n large, Ψ ( ) is a Ω(2(1 ( r )) )-secure SPRP. Finally, Patarin proved in [28,29] that the information-theoretic optimal security is obtained for 5 rounds in a CPA attack (i.e. Ψ (5) is a Ω(2n)-secure PRP) and 6 rounds for a CPCA at- tack (i.e. Ψ (6) is a Ω(2n)-secure SPRP). It is still an open problem to improve the bound for Ψ (5) in a CPCA attack (for now it is only known that Ψ (5) is a n Ω(2 2 )-secure SPRP). However, building on these results doesn’t enable to construct secure schemes using the Russian Dolls construction as the security decreases with the block size. We will see in the following how we can circumvent this problem by making hypotheses on the best generic attacks on random Feistel schemes.

4.2 Generic Attacks on Feistel Schemes Generic Attacks on Ψ (3) and Ψ (4). Generic attacks on Ψ (3) and Ψ (4) match- ing the information-theoretic security bounds were described in [25] and later independently in [1]. In the 3-round case, for a CPA attack, the adversary gets m values yi = E(xi) and counts the number of (i, j), i

Brute Force Attacks. We state the following result concerning brute force attacks on Feistel schemes, valid for any number of rounds. Claim. Let r, n be non null integers, r fixed. Then there exists an oracle ad- n versary, running in time Θ(2rn2 ) and distinguishing Ψ (r)(2n) from a random permutation with overwhelming probability. A rigorous proof of this claim can be found in [24]. Note that a simple entropy argument [21, footnote 2] shows that the number of oracle queries required is only r · 2n, which is in O(2n) for any fixed r. The adversary proceeds by making r an exhaustive search on the key space Func (n, n) toseeifthereisoneforwhich all queries match. It is however highly non trivial to reduce the complexity of the distinguisher described in the above claim in the case r ≥ 5, as we will see now.

Attacks “By The Signature”. As noticed by Patarin in [27], there are better attacks than the exhaustive search described above taking advantage of the fact that Feistel schemes lie in a proper subgroup of Perm (2n),namelyPerm+ (2n). Indeed, it can easily be checked (see [27]) that a Feistel scheme has always an even signature. Clearly, the signature of a permutation E ∈ Perm (2n) can be computed in time O(22n) when all the cipherbook is available. As a random 1 permutation has an even signature with probability 2 , we have the following claim: Claim. Let r, n be non null integers. Then there exists an oracle adversary, running in time Θ(22n) and distinguishing Ψ (r)(2n) from a uniformly random 1 permutation with probability 2 . However, as we will see in the following, it is much harder to distinguish Ψ (r) when this “global” property is suppressed, i.e. when the adversary tries to distinguish Ψ (r) from a random permutation with an even signature.

Best Known Attacks against Ψ (r) as an SPRP+ When r ≥ 5. The best generic attacks for distinguishing Ψ (r) from a random even permutation fall in the class of iterated attacks of order 2. The notion of iterated distinguisher of order d has been defined by Vaudenay [34,35]. Roughly, such a distinguisher obtains a number d of plaintext-ciphertext pairs (xj ,yj), takes a binary decision γi depending on x =(x1,...,xd) and y =(y1,...,yd),andafterN repetitions of this, outputs 0 or 1 depending on (γ1,...,γN ). At each iteration i,thed-tuple of plaintext-ciphertext pairs that is tested is determined, possibly adaptively, and possibly in a probabilistic way1 by the adversary, by making only queries to E for a CPA attack, or to E and E−1 for a CPCA attack. It is important however that the decision function Γ such that γi = Γ (x, y) is fixed during all the attack. In particular, it must not depend on the previously tested d-tuples and previous decisions. Indeed, if it were the case, the i-th decision γi of the adversary would in

1 Indeed, as we consider computationally bounded adversaries, there may be an ad- vantage for the adversary to be probabilistic. Building Secure Block Ciphers on Generic Attacks Assumptions 75

Parameters: number of iterations N, decision function Γ : Dd ×Dd →{0, 1}, acceptance set S ⊂{0, 1}N Oracle:apermutationE ∈ Perm (D) (and possibly its inverse E−1) 1: for i =1to N do 2: for j =1to d do −1 3: select xj ∈Dand get yj = E(xj ) or select yj ∈Dand get xj = E (yj ) 4: end for 5: set γi = Γ (x, y),wherex =(x1,...,xd) and y =(y1,...,yd) 6: end for 7: if (γ1,...,γN ) ∈ S then output 1 else output 0

Fig. 1. Iterated attack of order d fact depend on all previous d-tuples already tested and the distinguisher would in fact be a classical d-limited adversary with d >d. Note that this is only a logical description. In particular the total runtime of the adversary can be less than N. For example, the generic attack described previously on Ψ (4) is an iterated attack of order 2 where the attacker makes N = m(m − 1) tests in time m by storing the m values of xiL ⊕yiL and counting√ the number of collisions. The total runtime of the adversary is thus T = N. It is evident that making the same test more than one time does not increase the advantage of the adversary, hence we will assume that the distinguisher never makes twice the same test. Thus, the total number of possible tests is 22n(22n − 1) ···(22n − d +1).Note that the outcomes of the tests are of course not independent. Up to now, the best distinguishing attacks on Feistel schemes with r ≥ 5 rounds, described in [28], are iterated attacks of order 2. They follow the general description of Fig. 1. We describe the case r even; the case r odd is handled in a similar way. The attacks need only to access the direct oracle E. To understand how these attacks work, we introduce the d-ary transition probabilities associated to a permutation generator E on D with key space K defined for any pairs of d-tuples x =(x1,...,xd), y =(y1,...,yd) of distinct elements of D by EK $ Pr[x −−→ y]=Pr K ←−K : EK (xi)=yi for all i ∈ [1..d] . (2)

These quantities were introduced and extensively studied by Patarin in [24,23] and are fundamental in upper bounding the advantage of information-theoretic adversaries making less than d queries and trying to distinguish EK from a uniformly random permutation on D. In particular, closed formula were given in d r ∗ 1 the binary case =2, for any number of rounds .LetPr = 22n(22n−1) denote the binary transition probability for a random even permutation for any x and Ψ (r) y. We will simply note Pr for Pr[x −−−→ y].Forr even, when x1R = x2R,then depending on (y1,y2) the transition probabilities have the following values: y y ∗ − 1 1. when 1L = 2L, Pr = Pr 1 2(r−2)n y y x ⊕ y x ⊕ y  ∗ − 1 2. when 1L = 2L and 1L 1L = 2L 2L, Pr Pr 1 r −1 n 2( 2 ) 76 J. Patarin and Y. Seurin y y x ⊕ y x ⊕ y  ∗ 1 3. when 1L = 2L and 1L 1L = 2L 2L, Pr Pr 1+ r −2 n 2( 2 ) With these notations the attack proceeds as follows. The adversary tests N pairs (x1,y1), (x2,y2) such that x1R = x2R. The decision function is defined by 0 if Pr ≤ Pr∗ (cases 1 and 2) Γ (x, y)= ∗ 1 if Pr > Pr (case 3) X X N γ E X σ X Let be the random variable defined by = i=1 i.Let ( ) and ( ) (resp. E∗(X) and σ∗(X)) be the expected value and the standard deviation of X for a random Feistel scheme (resp. a random even permutation). One can ∗ N N 1 E X  n E X  n easily check that ( ) and ( ) 1+ r −2 n ,anditcanbe 2 2 2 ) √ √ 2( ∗ N N proved that σ (X)  n and σ(X)  n . If we let the acceptance set be 2 2 2 2 S { γ ,...,γ | N γ ≥ τ} τ E X − E∗ X / = ( 1 N ) i=1 i for =( ( ) ( )) 2, the adversary will have a noticeable advantage as soon as τ is larger than σ(X) and σ∗(X).This implies the condition N ≥ 2(r−3)n. 3n Because of the constraint x1R = x2R, the number of possible tests is only 2 . So in order to have a meaningful attack for r ≥ 7 we have to broaden slightly the security model by letting the adversary interact with μ>1 permutations randomly outputted by the generator. The adversary will have to repeat the test on μ =2(r−6)n permutations. For each permutation, the 23n tests can in fact be 2n implemented in time 2 by building, for each possible value of xR, the list of n the 2 values for xiL ⊕yiL and counting the number of collisions. Hence the total runtime of A is T=μ22n =2(r−4)n. Note that originally Patarin [28] described a known plaintext attack with roughly the same complexity. We will take these best known generic attacks as a starting point to build secure PRPs by making the following conjecture: Conjecture 1. Let n>1 be an integer, r be an integer ≥ 5.ThenΨ (r)(2n) is a O T ,T + ( ( 2(r−4)n ) )-secure SPRP . Evidence in favour of this conjecture is that the best distinguishing attacks for 3 and 4 rounds, matching the information-theoretic bounds, are iterated attacks of order 2. Hence this conjecture may be viewed as a natural generalization to r ≥ 5 of a provable result for r<5. We also conjecture that for a fixed d, iterated attacks of order d are not more efficient than the best iterated attack of order 2 for sufficiently large n. Hence improving the attacks described above would require to handle large d-tuples of plaintext-ciphertext pairs, which appears to be intractable as the computation of the transition probabilities for random Feistel schemes becomes very involved as soon as d ≥ 3.

4.3 The Russian Dolls Construction with Balanced Feistel Schemes We now concretely describe how to construct a secure SPRP using the Russian Dolls construction and Conjecture 1. The parameters of the construction will be as follows: Building Secure Block Ciphers on Generic Attacks Assumptions 77

– the block size of the SPRP will be 2n, – s will denote the number of iterations of the Russian Dolls construction, – r1,r2,...,rs = will denote the number of rounds of the Feistel schemes used at the i-th iteration of the process.

We start with the outermost Feistel scheme, which will have r1 rounds. If it were to be instantiated with r1 random functions, the obtained permutation generator O T ,T + would be a ( ( (r1−4)n ) )-secure SPRP . However, the size of the key would n 2 be r1n2 bits, which is impractical for usual values of n. Using the Russian Dolls construction, one can decrease the size of the key while maintaining a good level of security by instantiating each function inside the Feistel scheme Ψ (r1) with independent Feistel schemes with r2 rounds. Again, each function used in the (r2) r1 Feistel schemes Ψ can be instantiated using independent Feistel schemes with r3 rounds, and so on...Notethatweimplicitlymakeheretheassumption that the security of a Feistel scheme with internal random permutations is close to the security obtained when using internal random functions. A security proof by Piret [33] as well as preliminary results on generic attacks on Feistel schemes with internal permutations [32] point towards the validity of this assumption. Consider the permutation generator obtained after s iterations of the nesting n process. The innermost Feistel schemes use random functions from s−1 bits to n 2 2s−1 bits which will constitute the key for the global permutation generator. It can easily be seen that the total number of functions needed to define the global permutation is r1 · r2 ...rs. Hence the size of the key defining a permutation is

n n log (|K|)=r · r ···rs · · 2 2s−1 . 2 1 2 2s−1

Suppose now that the numbers of rounds ri were chosen as the minimal integers to satisfy, for some α, the following inequality: n 2i−1α (ri − 4) ≥ α i.e. ri = +4 . (3) 2i−1 n

According to Conjecture 1, any Feistel scheme used in the construction is a T ,T ( 2α )-secure SPRP. Then, according to Theorem 1, any adversary running in time T and trying to distinguish a permutation resulting from the overall construction from a uniformly random even permutation has an advantage upper bounded by ⎛ ⎞ s i T T T T ⎝ ⎠ T + r + r ... + rs · ... = 1+ rj . 2α 1 2α 2 2α 2α 2α i=1 j=1

Suppose that n is a power of 2. From an asymptotic point of view, if we set α = poly(n), Equation 3 shows that for a logarithmic number on iterations s n − c c =log2( ) ,forsomeconstant , (which means that the key is constituted c+1 c+1 of functions from 2 bits to 2 bits), the numbers of rounds ri will all be 2 polynomials in n. Hence the size of the key will be in poly(n)log n = eO((log n) ), 78 J. Patarin and Y. Seurin

eO((log n)2) T ,T which is quasi-polynomial, whereas the security is in ( 2poly(n) ).So the Russian Dolls construction will be quite efficient and secure. In practice, the optimal number of iterations is determined the following way. Assume that s iterations have been made, and we want to know whether the following iteration will increase or decrease the size of the key (we suppose that the loss of security coming from the next iteration is negligible). Up to now, the number of bits needed to store one of the functions constituting the key is n n · 2s−1 2s−1 2 . Iterating the construction one more time would require to instantiate each of these functions with Feistel schemes with rs+1 rounds, where rs+1 verifies Equ. 3. Hence the storage requirements for each function would become rs+1 · n n · 2s 2s 2 . Consequently, it is unfavourable to iterate again as soon as

n n n n n s s +1 rs · · 2 2 ≥ · 2 2s−1 , i.e. rs ≥ 2 2 . +1 2s 2s−1 +1

4.4 Concrete Instantiations

We give now some concrete values for the parameters (n, s, ri). We describe a block cipher with 128-bit blocks, hence n =64. We aim roughly at 80-bit security, meaning that the cipher has to be a (T/280,T)-secure SPRP. After some optimizations, one can verify that s =5iterations, with the following number of rounds: r1 =6, r2 =7, r3 =10, r4 =16and r5 =28, is optimal and gives the desired level of security. The size of the expanded key, constituted of functions from 4 bits to 4 bits, is |K| × × × × × × 4  . , log2( )=6 7 10 16 28 4 2 1 5 MB which is quite practical. Note however that stopping at s =4iterations (with the same number of rounds r1 to r4) yields an expanded key size of  1.7 MB, which is close to the previous size. Yet the resulting block cipher would be much faster as the number of table accesses to encrypt or decrypt one plaintext would only be 6 × 7 × 10 × 16 = 6, 720 instead of 6 × 7 × 10 × 16 × 28 = 188, 160,which shows that trade-offs are possible.

Key Schedule. It is arguable that such a block cipher as we just described would be implemented using pseudorandom bits for the expanded key. We did not consider this problem in details and expect that a provably secure pseudorandom number generator, such as BBS [8] or QUAD [6] would be used to expand a smaller key. It may even be possible to design a key expansion procedure relying itself on the Russian Dolls construction with PRFs rather than PRPs. Besides, we’d like to underline that the nonexistence of short keys may be turned into an advantage in some cases, particularly in a white-box context of operation [9]. We leave this as topics for further research.

5 Conclusion and Further Work

We described a general recursive strategy enabling to build secure PRFs or PRPs and applied this design approach with random balanced Feistel schemes in order Building Secure Block Ciphers on Generic Attacks Assumptions 79 to obtain symmetric primitives provably secure under plausible conjectures about generic attacks on random Feistel schemes. The schemes we obtain look very promising: the size of the expanded key required for our proposed constructions is of the order of 1 MB, and hence compares very favorably with other proposals of provably secure block ciphers such as KFC which may require in extreme cases up to 4 GB of expanded key. Moreover our schemes should be very fast in software as they require only XOR operations and table look-ups. Other structures are potentially very interesting to use inside the Russian Dolls construction. In the case of PRP constructions, unbalanced Feistel schemes could be suitable. They have been studied in [15,30,31] and could lead to ex- panded key size savings and efficiency improvements. Such schemes are currently under investigation. Finally, proving results in the vein of Conjecture 1 may be very difficult be- cause of its connexions with the “P vs. NP” problem. However it may be possible to obtain more restricted security results by considering weaker models of adver- sary (such as iterated attacks of order d). Such results would greatly reinforce the confidence in the primitives based on the Russian Dolls construction. Ex- ploring new kinds of attacks on random Feistel schemes (e.g., by studying the cycle structure of the permutation) might also be a fruitful avenue of research.

References

1. Aiello, W., Venkatesan, R.: Foiling birthday attacks in length-doubling transforma- tions. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996) 2. Anderson, R.J., Biham, E.: Two Practical and Provably Secure Block Ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996) 3. Baignères, T., Finiasz, M.: Dial C for cipher. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 76–95. Springer, Heidelberg (2007) 4. Baignères, T., Finiasz, M.: KFC - the krazy feistel cipher. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 380–395. Springer, Heidelberg (2006) 5. Bellare, M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. J. Comput. Syst. Sci. 61(3), 362–399 (2000) 6. Berbain, C., Gilbert, H., Patarin, J.: QUAD: A practical stream cipher with provable security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 109–128. Springer, Heidelberg (2006) 7. Blaze, M.: Efficient Symmetric-Key Ciphers Based on an NP-Complete Subproblem (1996), http://www.crypto.com/papers/turtle.pdf 8. Blum, L., Blum, M., Shub, M.: A Simple Unpredictable Pseudo-Random Number Generator. SIAM J. Comput. 15(2), 364–383 (1986) 9. Chow, S., Eisen, P.A., Johnson, H., van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003) 10. Contini, S., Lenstra, A.K., Steinfeld, R.: VSH, an efficient and provable collision- resistant hash function. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 165–182. Springer, Heidelberg (2006) 80 J. Patarin and Y. Seurin

11. Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979) 12. Goldreich, O., Goldwasser, S., Micali, S.: How to Construct Random Functions. J. ACM 33(4), 792–807 (1986) 13. Granboulan, L., Nguyên, P.Q., Noilhan, F., Vaudenay, S.: DFCv2. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 57–71. Springer, Heidelberg (2001) 14. Granboulan, L., Pornin, T.: Perfect block ciphers with small blocks. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 452–465. Springer, Heidelberg (2007) 15. Jutla, C.S.: Generalized birthday attacks on unbalanced feistel networks. In: Krawczyk, H. (ed.) CRYPTO 1998, vol. 1462, pp. 186–199. Springer, Heidelberg (1998) 16. Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996) 17. Koblitz, N., Menezes, A.: Another Look at Provable Cryptography. J. Cryptol- ogy 20(1), 3–37 (2007) 18. Luby, M., Rackoff, C.: Pseudo-random Permutation Generators and Cryptographic Composition. In: STOC, pp. 356–363. ACM, New York (1986) 19. Luby, M., Rackoff, C.: How to Construct Pseudorandom Permutations from Pseu- dorandom Functions. SIAM J. Comput. 17(2), 373–386 (1988) 20. Maurer, U.M.: A simplified and generalized treatment of luby-rackoff pseudoran- dom permutation generators. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 239–255. Springer, Heidelberg (1993) 21. Maurer, U.M., Pietrzak, K.: The Security of Many-Round Luby-Rackoff Pseudo- Random Permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003) 22. Morin, P.: Provably Secure and Efficient Block Ciphers. In: Selected Areas in Cryp- tography - SAC 1996, pp. 30–37 (1996) 23. Patarin, J.: Pseudorandom Permutations Based on the DES Scheme. In: Charpin, P., Cohen, G. (eds.) EUROCODE 1990. LNCS, vol. 514, pp. 193–204. Springer, Heidelberg (1991) 24. Patarin, J.: Etude des générteurs de permutations basés sur le schéma du DES, Ph.D. thesis, INRIA, Domaine de Voluceau, Le Chesnay, France (1991) 25. Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992) 26. Patarin, J.: About feistel schemes with six (or more) rounds. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 103–121. Springer, Heidelberg (1998) 27. Patarin, J.: Generic attacks on feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001) 28. Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004) 29. Patarin, J.: On linear systems of equations with distinct variables and small block size. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 299–321. Springer, Heidelberg (2006) 30. Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced feistel schemes with contracting functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 396–411. Springer, Heidelberg (2006) Building Secure Block Ciphers on Generic Attacks Assumptions 81

31. Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced feistel schemes with expanding functions. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 325–341. Springer, Heidelberg (2007) 32. Patarin, J., Treger, J.: Generic Attacks on Feistel Networks with Internal Permu- tations (2008) (in submission) 33. Piret, G.: Luby-Rackoff Revisited: On the Use of Permutations as Inner Functions of a Feistel Scheme. Des. Codes Cryptography 39(2), 233–245 (2006) 34. Vaudenay, S.: Resistance against general iterated attacks. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 255–271. Springer, Heidelberg (1999) 35. Vaudenay, S.: Decorrelation: A Theory for Block Cipher Security. J. Cryptol- ogy 16(4), 249–286 (2003) 36. Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers prov- ably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, Heidelberg (1990)